First ICO ransomware fine: what lessons can we learn?

Last week the ICO fined leading criminal solicitors Tuckers LLP £98,000 for breaches of its security, and other, obligations under the GDPR which came to light following a ransomware attack. The monetary penalty notice provides some useful lessons for all organisations regarding the ICO’s view on ransomware attacks (which apply to cyber attacks more generally) and the issues it considers when determining whether, and how much, to fine.

What happened?

On 24 August 2020, parts of Tuckers IT system became unavailable. On investigation, its IT staff identified a ransomware note from the attacker stating that they had compromised Tuckers' system. The following day, Tuckers notified the ICO, explaining that over 24,000 civil and criminal legal case bundles (972,191 individual files in total) stored on an archive server had been encrypted by the attacker, together with the backups. Sixty of the case bundles were exfiltrated and published on the "dark web”. The files contained personal and special category data, some of which was incredibly sensitive involving serious crimes and vulnerable people. However, the vast majority of the personal data Tuckers was processing was held on other servers and systems that were not affected by the attack. Also, while it permanently lost the majority of the compromised court bundles, the materials within those bundles were still available on its case management system.

Following its investigation, the ICO determined that Tuckers had infringed its obligations under Articles 5(1)(f) and 32 of the GDPR to keep the personal data secure and confidential. For example, a known and high risk system vulnerability flagged by the NCSC and others remained unpatched for five months, the archived files were not encrypted and it failed to implement multi-factor authentication (MFA) on its remote access solution. ‘Further negligent practices’ that were of concern to the Commissioner included the processing of personal data on an operating system which was no longer supported and the failure to follow (or justify departing from) its retention practices. These also raised concerns around its storage limitation and privacy by design obligations.

What can we learn from the fine?

The notice methodically steps through the breach and the Commissioner’s response to it, providing insights into the ICO’s approach. For example:

• Culpability: While the ICO makes it clear that primary culpability for this incident rests with the ransomware attacker, the infringements identified by the Commissioner were relevant to the personal data breach because they gave the attacker a weakness (vulnerability) to exploit and/or because they increased the risks to personal data once the attacker entered Tuckers' network.
• ICO approach: The ICO closely followed the five step process set out in its Regulatory Action Policy (a policy which, incidentally, is currently under review – see our blog). The current policy looks to remove any financial gain that may be made by the victim from the breach, to add in elements to reflect its scale/severity, any aggravating factors and deterrent effect and then to consider whether the amount should be reduced to reflect any mitigating factors. In light of this, the ICO found that:
  • The nature, gravity and duration of the infringements meant a fine was appropriate. The severity of infringement was increased by the fact that special category data, sometimes relating to children and other vulnerable individuals, was involved. This follows a trend we are seeing of the ICO focussing its enforcement action on harm caused to high risk and sensitive data (see for example the Mermaids and Cabinet Office penalties).
  • The fact that some of this information would have been subject to use in open court proceedings “did not eliminate the serious prejudicial consequences of this attack.” Extensive sensitive data was made available to unauthorised persons in ways that are very different from references in court. Also, as we have previously seen in the Cabinet Office case, the fact that some of the information was already in the public domain will not always be viewed by the ICO as a mitigating factor.
  • The scale and severity of the breach meant that the starting point of the fine was 3.25% of Tucker’s relevant annual turnover (a figure of £331,518.59). In this instance, the penalty was not increased to reflect the aggravating factor that Tucker failed to comply with its regulator’s code of conduct or to add a deterrent effect, although the reasons for this were not explained. It was, however, reduced to £98,000 (or just under 1% of the relevant annual turnover) following the ‘significant representations’ Tucker made to the ICO. These were regarding remedial measures taken following the breach, Tucker's financial position, further clarification that the breach only impacted the archive system, the important work Tucker’s do in protecting vulnerable individuals and additional information which narrowed the Commissioner’s findings regarding the contravention (although, intriguingly, no further detail was included on this latter point). Importantly, the Commissioner did not provide a reduction for all remedial action – the purchase of software, the fact that deletion is now automated, the implementation of MFA and staff training, for example, were all processes that the ICO considered should have been in place in any event.
• State of the art: When considering the state of the art (a requirement in the various security obligations) the ICO considered relevant industry standards of good practice including the ISO27000 series, NIST standards (e.g. NIST 800-63b and 800-53), specific guidance from itself and the NCSC, the NCSC’s Cyber Essentials as well as sector guidance and accreditation (in this case the Solicitors Regulatory Authority and Lexcel). Interestingly, Tuckers had been assessed against the Cyber Essentials criteria in October 2019 and had failed this assessment. The fact that ten months after failing Cyber Essentials it had still not resolved the issues is, in the Commissioner’s view, “sufficient to constitute a negligent approach to data security obligations.”
• Style of notice: As an interesting aside, the style of penalty notice seems more formulaic and legalistic in its approach than we have seen recently, although this may simply reflect the new Commissioner’s legal background. 

Comment

Ransomware attacks are never far from the headlines, and a ransomware linked ICO fine (even one under £100K) is unsurprisingly big news. However, in terms of the messages coming from the penalty notice, it is an example of the importance of getting the basics right across your entire estate (including archived material) – both to prevent attacks being successful and to avoid enforcement action if they are. Keeping up with the state of the art is also key. While patching, encryption and MFA have all been advised for some time now, the range of guidance the ICO referenced in the notice shows that it expects those processing personal data to be keeping on top of both general, and sector-specific, guidance. In its March e-newsletter, for example, the ICO describes its practical steps to keep IT systems safe guidance and its newly published guidance around ransomware as good places to start. Utilising accreditation schemes like Cyber Essentials (assuming of-course you are able to pass the assessment, or fix things if you don’t) can also help. 

In addition, the fine is another example of the ICO focussing its enforcement action on harm caused to high risk and sensitive data. It is therefore a reminder for those processing sensitive, special category data to take their security obligations particularly seriously, and for all organisations that being the victim of a cyber attack is no defence if you have failed to put the necessary technical and organisational measures in place. That said, it also shows how effective representations to the ICO can be. In this instance, they appear to have significantly reduced the fine from over three, to under one, percent of the relevant annual turnover.